1. Field of the Invention.
This invention relates in general to a security management device, and in particular, to a method and apparatus for preventing eavesdropping using an invalid symbol to jam data communications to unintended network devices in a communications network.
2. Description of Related Art.
Recent advancements in the art of data communications have provided great strides in resource sharing amongst computer systems through the use of networks which offer reliable high-speed data channels. Networks allow versatility by defining a common standard for communication so that information independent of vendor equipment may be exchanged across user applications. As the popularity of networks increase so does the demand for performance. More sophisticated protocols are being established to meet this demand and are utilizing existing twisted pair wires in office buildings so that virtually all computer literate users have access to resources with minimal expense.
A multi-port repeater is a communications network device which is commonly used to provide network access to end user stations such as personal computers, work stations and so on. This device has multiple "ports". In many cases, each port is connected to one end node using the 10BASE-T "Twisted Pair" or 100BASE-X connection defined by the IEEE 802.3 Standard. The ports serve as physical interfaces between the communications network device and the end user stations. Each port is operated according to the IEEE 802.3 Repeater Specification. When a data communications packet (packet) is received from any single port, it is repeated to all other ports in accordance with the standard. When more than one packet is received at any time, the multi-port repeater performs the collision algorithm as defined in the standard.
An Ethernet bridge is a device with two or more physical ports that is capable of forwarding a packet received on any port to any other single port based on the destination address of the packet. A packet that is not forwarded to a port is considered filtered.
A Media Access Control (MAC) function converts digital information, typically stored in memory in the form of a packet, into an actual Ethernet frame which can be transmitted on an Ethernet connection, or a frame received from the network connection which is stored in memory as a packet.
One of the key issues involving network security is the problem of eavesdropping. Eavesdropping occurs because a packet received on one port of a repeater is repeated to all ports on the repeater. Thus, absent some security mechanism, network devices connected to ports other than the one associated with the destination address in the data packet will also receive the packet. Ethernet bridges do not have this problem because they have the capability of forwarding a packet to the intended port, i.e., the port connected to an end user station having a source address matching the destination address in the packet, without repeating the packet to devices resident on the other ports by utilizing the source and destination information contained within the packet.
A need exists for improved security mechanisms to prevent eavesdropping on LAN or WAN networks employing multi-port repeaters without the expense or signal delay associated with the use of bridges. In typical network operations using "multi-port repeaters," each port of the multi-port repeater is permanently dedicated to a single user. To the network, this user is uniquely identified by the Ethernet address associated with the user's end-node device (such as personal computers, workstation, etc.). Every time the user sends out a packet onto the network, the end node automatically transmits its unique Ethernet address in the "Source Address Field" defined by the IEEE 802.3 Standard as part of the packet. The packet also includes a "Destination Address Field" to identify the source that is intended to receive the packet.
One scenario which network security schemes encounter is network devices intercepting sensitive or confidential data not intended for them. One means of dealing with this problem is to suspend the transmission of the data to the unintended network devices. However, a major drawback with this solution is the possibility of unacceptable collisions occurring when those network devices attempt to transmit not realizing that there is existing network traffic. This solution also violates the IEEE 802.3 repeater standard.
One means of preventing eavesdropping is disclosed in U.S. Pat. Nos. 5,161,192 and 4,901,348, issued to Carter et al. and Nichols et al., respectively. Using this method, eavesdropping is prevented by substituting an independent or random bit pattern in place of the data transmitted to unintended network devices. These security systems rely on the fact that the substitution of an independent bit pattern will result in a data frame not being a legal data frame according to the IEEE 802.3 Standard or the LAN protocol. More specifically, the IEEE 802.3 Standard defines a media access control (MAC) frame structure which includes a method for checking the validity of the transmitted data. A cyclic redundancy check (CRC) value is calculated using a predefined algorithm applied to the data packet contents, excluding the start frame delimiter (SFD) and frame check sequence (FCS) fields. The transmitting device inserts the calculated CRC value in the FCS field for outgoing data packets. The receiving device calculates the CRC value based on the data packets and compares the value with the value in the FCS field of the transmitted packet. If the values are not identical, an error results which indicates the data packet is invalid. Although this method identifies an illegal data frame a high percentage of the time, there remains a possibility that the independent bit pattern will be similar enough to the data replaced that no error will be generated. In such a case, the unintended network device has no indication that it was not the intended destination and that the data is invalid. This can result in unnecessary and undesired negative consequences. Erroneously using the independent or random bit pattern as legitimate data may lead a user or a network device to take inappropriate and potentially damaging actions based on those results.
As the above demonstrates, a need exists for improved security mechanisms to prevent eavesdropping on LAN or WAN networks employing multi-port repeaters wherein a data packet sent to an unintended network device is jammed in a way that unambiguously indicates to the receiving network device that the data contained in the data packet is invalid.